What must be reported when a computer drive with protected health information is lost?


Issue:

One of your employees lost a computer drive that likely contained protected health information (PHI) covered by the Health Insurance Portability and Accountability Act (HIPAA). What self-reporting obligations, if any, does your company have?

Answer:    

The answer depends on whether the PHI was secured or unsecured.

"Unsecured" PHI is essentially PHI that has not been rendered technologically unreadable or unusable. If the PHI is unsecured, then the business may very well have a self-reporting obligation under HIPAA. (This assumes that the business is a "covered entity" for HIPAA purposes.)

The self-reporting obligation may not apply if the business can demonstrate that the lost computer drive (referred to as a "breach" in HIPAA parlance) presents only a low probability that the PHI has been compromised based on a risk assessment that considers a number of different factors.

If the self-reporting obligation does apply, it may be accomplished by notifying the affected individuals and the U.S. Department of Health and Human Services of the breach, and, if the breach is significant enough, the media. A failure to properly and timely issue such HIPAA breach notices could lead to significant penalties (in addition to any penalties that may apply as a result of the breach). If a business suspects that PHI has been compromised in any respect, it should contact qualified counsel promptly.

Source: HHS Reg. Sec. 164.402.

[ Return to top of document ]